August 21st quite a few people across organizations got this document in what looks like a large Phishing campaign. I wanted to understand what this malware does as this had very low detection on VirusTotal. Here is my effort to understand the malware and to record indicators for further hunting and investigation.

Step 1:

Identifying the malicious document

Looks like some kind of dropper. It was interesting that VT first saw this file in 2010 and the first submission in August 21st. Where was it hiding for 7 years?

Step 2:

Detonating the malware

I run a couple of custom (Windows 7 & Windows 10) sandboxes with Sysmon from Sysinternals. All web traffic is intercepted with an intercepting web proxy. The network traffic is analyzed and all metadata is extracted and stored.

What did I learn? (End users are the weakest link)

The first thing the document does is it tricks the user into thinking that the document is actually locked / protected.

We are selling these #privacy #torbox routers for CA$35 + shipping. Message me if you are interested.Paypal: cmaj(at)byteseclabs.comBitcoin 156SLTpHjWRkLhkgz8mRNmbbwxuERZ3irYYou can DIY too https://goo.gl/OOw7Ig

I had a few friends ask if they could buy a cheap travel router that protects their internet activity as they travel around the globe. So my criteria:

Cheap (<$20.00)

Portable (ideally pocket size)

I knew I wanted a little travel router that supports OpenWRT and has enough RAM and storage to install TOR. There were a few routers that I liked but the NEXX WT3020H. There are a couple models that look the same. except for the "A" model all the other ones are the same. Don't get the A model it does not have enough resources to run Luci & TOR. Pictures below are for my WT3020H. I purchased mine from Aliexpress link

There are a few getting started articles online that explain how to install OpenWRT on this device and how to install TOR. Everything i seen so far is incomplete. It either allows for DNS leaks or don't allow .onion URLs. This is why I wanted to write this post and help anyone else that is trying to do the same. The script is agnostic of the hardware so should be able to install on other OpenWRT devices.

I get really excited anytime I get to use my RaspberryPi Zero. When I saw Rob Fuller's Tweet this morning (@mubix) i got really excited. Coincidentally I have a thing for single board computers and been playing with the USB Gadget mode for the Pi Zero last couple of weeks. As soon as I saw the tweet i knew i have to do this with the Pi Zero.

Requirements:

RaspberryPi Zero

4GB or larger Micro SD Card

OTG USB Cable

USB Ethernet adapter or WiFi Dongle (initial setup)

I am going to assume that the reader knows how to flash an image onto the SD Card. I went with the Raspbian-lite version its better with RAM utilization on the Pi. Boot up the Raspberry Pi Zero and install the software required:

Create the configuration file for screen

Once the above steps are completed shutdown the Pi Zero (shutdown -h now) and remove the Micro SD Card. Connect the Micro SD card to your computer. We need to modify config.txt and cmdline.txt to turn the OTG port to a virtual Ethernet port. Please ensure that you are running a version of Raspbian released after May 2016

Edit config.txt

Add this after the last line:

dtoverlay=dwc2

Edit cmdline.txt

After rootwait (the last word on the first line) add a space and then

modules-load=dwc2,g_ether

Safely eject the Micro SD Card. Put it back in the Pi Zero. The device is ready use the USB OTG cable to connect it to the PC and Happy Hacking !

I have been working in a Systems Administrator role for over 10 years and I am asked constantly by home users and peers at work on how to secure infrastructure and how to monitor effectively. One of the biggest issues with securing infrastructure is to identify potential attack vectors and to run risk analysis scenarios. Unfortunately this also means understanding who is trying to attack you or your business and whats in it for them.

I would like to start of with securing your personal infrastructure, and later show how this ties in with securing your business. The biggest reason for personal attack is identity theft. Let's face it, money is the biggest motivation for this industry. Building a bot-net or zombie network is another reason why evil doers want to have control over your system(s). They want your compute power and they need your bandwidth to launch DDOS attacks against services. The world we live in, these types of attacks are orchestrated by two distinct groups:

Now that we have identified the two most common type of personal attacks, let's see what we can do to secure ourselves. I should point out a couple of things before we get to the nitty gritty of things:

Paranoia is good. The consensus among people like us is to keep an open mind but question everything.

If you make it difficult for attackers, they will quickly move along to the next unsuspecting victim.

Now that I got this off my chest, let's see what we can do in our personal lives to stay secure. I titled this article "TOP 5" so I will highlight the top five tips for personal security:

Do not use the same password everywhere. Use different passwords for every service you use online, your home WiFi, your email, your password to log in to your computer, etc. Do not use simple passwords, passwords less than 8 character, or dictionary words. Instead use complex 9+ character passwords with numbers, upper, lower case characters, and special characters like ,[email protected]# etc. Try to use 2 factor authentication for services that offer it (Google, Facebook, Microsoft, Twitter, and many more). If you are thinking this is insane and how can I memorize such passwords you are thinking along the right path. Passwords that are easy to remember are easy to hack. Instead, use an application like Keepass or Password Safe to track your passwords. Keepass works on Windows, Linux, Mac OS and smartphones, and I use it for storing my passwords.

Do not use pirated software. The issue with pirated software is that almost 99.9999% of the time the software is tampered with to allow you to use it by bypassing the activation / security in place to prevent unauthorized usage. What you almost never know is what is actually changed. We notice that application downloaded from shady websites may include malware that installs along with the software giving the attacker persistent access to your system. We have noticed this trend in the industry over and over again. Root kits embedded with applications downloaded from torrents. Here is a link for such an attack from 2011 ago to show that this is not a new trend. Another issue with cracked software is that it cannot be updated, leaving you stuck with an old, vulnerable version, and waiting to tempt fate.

Regularly update your system and run a good antivirus software. Enterprises patch vulnerabilities in their system. This is a cyclical process, and patches are created as vulnerabilities are discovered. The problem with running old software is that there is a very good chance that your system has a vulnerability and that there is an active exploit out there that is being used by evil-doers to gain access. If you like to wait before patching, prioritizing what to patch is a good idea too. Web browsers, plugins (flash, java. acrobat reader) are usually the most attacked software. If you like visiting questionable sites, or get emails from unknown people with attachments, use a sandboxed environment for your day to day stuff. Sandboxie is a great application that does this. If you use a professional antivirus solution, like Avast, it comes with this option built in. Also, please keep your firewall turned on. Firewalls were designed for a good reason, and they act as the first line of defense against online threats.

Backup your systems regularly. We are starting to see an increasing growth of "Ransom Ware". This is a new type of malware that holds your personal data hostage, and unless you pay, they won't provide you with the keys to decrypt your data. If you have regular backups, then you can easily restore the data from the backup. Both Windows and Mac OS have great backup solutions that are baked into the operating system for free. This way, if you have hardware damage and/or malware destroys your files, you can get your data back without breaking a sweat or your bank account. If you prefer to get a 3rd party solution for backup, there are professional solutions from companies like Acronis that can provide reliable solutions.

If you've implemented points 1-4, you are already doing a good job of staying secure just Don't get social engineered and give up your data to strangers. This is one of the most important issues with security: the human factor. Be careful of what you post on social media, and be careful of what information you give out to people. If you tell everyone that your first pet's name was "fluffy" and your security question to your favorite mail service is what is your first pet's name? then it does not matter how secure your password is, it will be easy to reset it and take over your email service. This also means, if this email was used to signup for other services, those services are then getting owned by the attacker. I will leave this tip up for your imagination but this is why paranoia is a good friend. Question everything and be very careful about the information you give out freely. I want to add, avoid using open WiFi, or at least use a VPN connection when surfing from an open WiFi hotspot.

Please let me know what you think in the comments below. If you disagree, I would love to see some feedback and constructive criticism as I prepare for the TOP 5: Enterprise Security Tips.

My quest for learning and building parallelism turned a new page. I mustered the courage to build a Raspberry Pi MPI cluster to test and code MPI. Couple of my friends at the Uiniversity of Alberta have been running MPI based code to crunch fluid dynamics problems. My goal was to build a farm of CPUs I can dedicate to do #STUFF at a very cheap price point.

I used PLA and the finished product looked quite nice. took about 2 hours to print 4 frames. After about 5 hours I had the bottom and the top pieces printed. I also started installing Raspbian on the 9 SD cards. I used Win32DiskImager on a Windows 7 machine to create the SD cards. I started inserting the Pi(s) into the bottom pieces and then realized the biggest issue with this concept will be delivering power to the PIs. So I decided to build my own. The PIs draw about 450mA - 550mA depending on CPU load. with 9 of them I needed a PSU that can provide at least 5.5 A to be safe. I soon realized that when these PIs power on they can draw upto 700mA. So I purchased a 5V 12A switching PSU from my local store and built a simple power distribution circuit.

The dip switches can turn the PIs on or off. The main purpose of the 220uF capacitor is to smooth out the voltage probably not required. The red LED tell me that the PSU is ON and supplying power. I built 2 of these. was trying out couple different designs. The used the female jumpers to power the PIs.

Once the PIs were powered up I SSHed into them and used "sudo raspi-config" to configure the CPU to run at 800MHz, gpu ram to 16MB and expanded the image to utilize 8GB. I could feel my goal getting close to completion with every key stroke. I wrote a little shell script to automate the MPI installation and configuration. Its not 100% automated but close enough:

Disclaimer:

This article applies to Debian based Linux and Ubuntu variants

Does not work if the user's home drive is encrypted

Getting started:

I will be demonstrating how to use the Google authenticator PAM module for 2 factor. Google uses a time based OPT algorithm and it does not phone home to work. You will need an Android or iOS device with the Google Authenticator app installed.

Follow the instructions to generate a key by pressing "y". Copy the secret key, the verification code and the scratch codes and store it securely. Scan the bar code from the app on your phone to initialize the code. Please note at this point we have installed the module and generated a key only. We still have to enable the PAM for SSH login manually. The steps below updates the "pam.d" config file to allow "pam_google_authenticator.so" and "sshd_config" to set "ChallengeResponseAuthentication yes" and then restarts the SSH service.

Open pam.d/ssh with vi or nano:

sudo nano /etc/pam.d/sshd and add the line

"auth required pam_google_authenticator.so"

Open sshd_config and locate ChallengeResponseAuthentication line, and edit it to say:

sudo nano /etc/ssh/sshd_config"ChallengeResponseAuthentication yes"

Restart SSH service:

sudo service ssh restart

Next time you SSH in you will be prompted for your password and the OTP before you are authenticated.

Once this information is filled in click on "Connection" > expand "SSH" > "Tunnels" and fill the tunnel information.

Click Add when done. On the menu to the left scroll all the way up and click "Session"and then click "Save" to save changes to the configuration. Click "Open" to launch the connection PuTTY will prompt that the Key is not recognized if this is the first time you are connecting. Click Yes to save the key in registry. I will go over key verification in another post. You will be prompted for your password at this stage. Please type it to complete the process.
Once in open your browser of choice change the Proxy settings to SOCKSv5 Server / IP = 127.0.0.1, Port: 8090 and you will be tunneling traffic like 1337.

Part III will cover setting up SSH client in Linux, Public / Private key based encryption in Linux and Windows. Hope you enjoyed, please comment below.

Checking your Facebook page from Starbucks? Checked your banking information from the Hotel WiFi? Or are you going to Defcon this year?

Public internet is not secure and there is a need for secure browsing. There are many ways to achieve this and Obfuscate the traffic for eavesdroppers and protect ourselves against Man In The Middle (MITM) attack. After trying a few different solutions like torProject, Hotspot Shield and a few others like it I decided to set up my own SSH Server so that I can create a secure tunnel between my laptop and the SSH server and use that as a SOCKSv5 proxy. If you are still interested I will try to cover the following topics over the next few days:

Install and configure a SSH Server (FreeBSD 9.0)

Create users.

Secure and harden the server.

Configure SSH client (PuTTY) in windows

Create Public and Private keys for authentication

Set up Password-less login.

I wanted to point out that FreeBSD is really stable and uses very little resources to run and is my server of choice. I have tested the same with Debian 6.0.4 and works just as good. All the steps I am about to show should be easy to replicate on all *NIX type systems. I also wanted to point out that a Virtual Private Server will give you the best performance over hosting the SSH server at home.

I have been researching online for other people who have been working along the lines of using a teensy or a similar HID device as a penetration testing tool. Check out these fellows:

Adrian Crenshaw at irongeek.com, has done some amazing work on the teensy platform. Had I been at Defcon 18, I would have known that he started this project back in 2010. Check out this page for information on his research and the Programmable HID USB Keystroke Dongle (PHUKD) Library.

Darren Kitchen from Hak5.org has been working on a project he likes to call the USB Rubber Ducky. Check out their forum to find out more.

/*Check out @pastebin n3onli8.cpp http://pastebin.com/Q5bkU1t8n3onli8.h http://pastebin.com/trrtYdecsave the .h and .cpp file in a folder called n3onli8 in arduino-0022\arduino-0022\libraries\please note the numbers may vary with your version of Arduino SDK

Earlier this year at Defcon I got introduced to the world of exploiting (HID) human interface devices. At first I was wowed by the simplicity of the attack. I could not wait to get my hands on my first Teensy from www.pjrc.com.

On first run depending on the system its being plugged into there could be a fair bit of delay for the drivers to initialize which means the code may start executing before the keyboard is ready and the exploit is a FAIL!

BYTESEC Labs Blog

At BYTESEC Labs we are constantly working with new ideas and new ways to secure communication, automate and improve processes. We strongly believe that technology can be improved by making it publicly accessible.

We hope to make this knowledge available any easy to implement though this blog.